Streaming API support for Data Security tables in Microsoft Defender XDR Advanced Hunting [MC1137606]

Message ID: MC1137606

As part of the integration between Microsoft Purview Insider Risk Management and Microsoft Defender XDR, we’re enabling Streaming API support for two Advanced Hunting tables: DataSecurityEvents and DataSecurityBehaviors. These tables contain insider risk alert data, and this enhancement allows organizations to receive data in real time via event hubs. We invite your organization to explore this feature and share feedback.

When this will happen:

• Public Preview: Rollout will begin in late August 2025 and is expected to complete by mid-September 2025.

How this affects your organization:

With Streaming API support, your organization can receive insider risk alert data as soon as it’s available in the DataSecurityEvents and DataSecurityBehaviors tables. This push-based model eliminates the need for repeated polling, unlike the Graph API, which requires pull-based requests. This enhancement improves data timeliness and reduces overhead for security operations teams.

This feature is off by default and requires configuration to begin streaming data.

What you can do to prepare:

• Set up an event hub or storage location to stream data.
• Follow the setup guidance here: https://learn.microsoft.com/en-us/defender-endpoint/api/raw-data-export

Compliance considerations:

Alters how existing customer data is processed, stored, or accessed	Yes – Insider risk alert data is now streamed in real time to customer-defined event hubs, changing how data is accessed.
Adds integration to 3rd party software products	Yes – Streaming API enables integration with external SIEM and data platforms via event hubs.
Includes an admin control and can be controlled through Entra ID group membership	Yes – Admins can configure access and streaming endpoints, and control permissions via Entra ID.

Source: Microsoft

Latest Posts